Merge pull request ocp-power-automation#243 from aishwaryabk/fips-branch

To enable FIPS

docs/var.tfvars-doc.md

@@ -140,6 +140,14 @@ If `cluster_if_prefix` is not set, the `cluster_id` will be used only without pr
 A random value will be used for `cluster_id` if not set.
 The total length of `cluster_id_prefix`.`cluster_id` should not exceed 14 characters.
 
+### FIPS Variable for OpenShift deployment
+
+These variables will be used for deploying OCP in FIPS mode.
+Change the values as per your requirement.
+```
+fips_compliant      = false
+```
+
 ### Misc Customizations
 
 These variables provides miscellaneous customizations. For common usage scenarios these are not required and should be left unchanged.

modules/5_install/install.tf

@@ -52,6 +52,7 @@ locals {
         log_level                  = var.log_level
         release_image_override     = var.enable_local_registry ? local.local_registry_ocp_image : var.release_image_override
         enable_local_registry      = var.enable_local_registry
+        fips_compliant             = var.fips_compliant
         node_connection_timeout    = 60 * var.connection_timeout
         rhcos_pre_kernel_options   = var.rhcos_pre_kernel_options
         rhcos_kernel_options       = var.rhcos_kernel_options

modules/5_install/templates/install_vars.yaml

@@ -10,6 +10,7 @@ storage_type: ${storage_type}
 log_level: ${log_level}
 release_image_override: '${release_image_override}'
 enable_local_registry: ${enable_local_registry}
+fips_compliant: "${fips_compliant}"
 
 node_connection_timeout: ${node_connection_timeout}
 

modules/5_install/variables.tf

@@ -43,6 +43,7 @@ variable "worker_ips" {}
 variable "public_key" {}
 variable "pull_secret" {}
 variable "release_image_override" {}
+variable "fips_compliant" {}
 
 variable "private_network_mtu" {}
 

ocp.tf

@@ -164,6 +164,7 @@ module "install" {
     release_image_override          = var.release_image_override
     private_network_mtu             = var.private_network_mtu
     enable_local_registry           = var.enable_local_registry
+    fips_compliant                  = var.fips_compliant
     local_registry_image            = var.local_registry_image
     ocp_release_tag                 = var.ocp_release_tag
     install_playbook_repo           = var.install_playbook_repo

var.tfvars

@@ -41,7 +41,7 @@ pull_secret_file            = "data/pull-secret.txt"
 cluster_domain              = "ibm.com"  # Set domain to nip.io or xip.io if you prefer using online wildcard domain and avoid modifying /etc/hosts
 cluster_id_prefix           = "test-ocp" # Set it to empty if just want to use cluster_id without prefix
 cluster_id                  = ""         # It will use random generated id with cluster_id_prefix if this is not set
-
+#fips_compliant             = false   # Set it true if you prefer to use FIPS enable in ocp deployment
 
 ### Misc Customizations
 

variables.tf

@@ -287,7 +287,7 @@ variable "install_playbook_repo" {
 variable "install_playbook_tag" {
     description = "Set the branch/tag name or commit# for using ocp4-playbooks repo"
     # Checkout level for https://github.com/ocp-power-automation/ocp4-playbooks which is used for running ocp4 installations steps
-    default = "a328a8d03c043d4f7c38300f35bba471bc81bd37"
+    default = "284b597b3e88c635e3069b82926aa16812238492"
 }
 
 variable "ansible_extra_options" {
@@ -341,6 +341,12 @@ variable "cluster_id" {
     default   = ""
 }
 
+variable "fips_compliant" {
+  type        = bool
+  description = "Set to true to enable usage of FIPS for OCP deployment."
+  default     = false
+}
+
 variable "dns_forwarders" {
     default   = "8.8.8.8; 8.8.4.4"
 }